Fixing bug: if options.signatureAlgorithm = ..sha256 => will be gener…

…ated two Reference to Body. (#1128) - added test to reproduce problem - replace usage of constant as bodyXpath for predefined reference with placeholder, resolved later for correct xpath Co-authored-by: boris.vnukov <[email protected]>
vpulim · Oct 13, 2020 · ec53c51 · ec53c51
1 parent ac6db98
commit ec53c51
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/security/WSSecurityCert.ts b/src/security/WSSecurityCert.ts
@@ -28,7 +28,16 @@ function generateId(): string {
   return uuidv4().replace(/-/gm, '');
 }
 
+function resolvePlaceholderInReferences(references: any[], bodyXpath: string) {
+  for (const ref of references) {
+    if (ref.xpath === bodyXpathPlaceholder) {
+      ref.xpath = bodyXpath;
+    }
+  }
+}
+
 const oasisBaseUri = 'http://docs.oasis-open.org/wss/2004/01';
+const bodyXpathPlaceholder = '[[bodyXpath]]';
 
 export interface IWSSecurityCertOptions {
   hasTimeStamp?: boolean;
@@ -65,7 +74,7 @@ export class WSSecurityCert implements ISecurity {
     if (options.signatureAlgorithm === 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256') {
       this.signer.signatureAlgorithm = options.signatureAlgorithm;
       this.signer.addReference(
-        '//*[name(.)="soap:Body"]',
+          bodyXpathPlaceholder,
         [ 'http://www.w3.org/2001/10/xml-exc-c14n#' ],
         'http://www.w3.org/2001/04/xmlenc#sha256',
       );
@@ -134,6 +143,8 @@ export class WSSecurityCert implements ISecurity {
     const references = this.signatureTransformations;
 
     const bodyXpath = `//*[name(.)='${envelopeKey}:Body']`;
+    resolvePlaceholderInReferences(this.signer.references, bodyXpath);
+
     if (!(this.signer.references.filter((ref) => (ref.xpath === bodyXpath)).length > 0)) {
       this.signer.addReference(bodyXpath, references);
     }

diff --git a/test/security/WSSecurityCert.js b/test/security/WSSecurityCert.js
@@ -95,6 +95,13 @@ describe('WSSecurityCert', function () {
     xml.match(/<Reference URI="#/g).should.have.length(1);
   });
 
+  it('should only add one Reference elements, for Soap Body wsse:Security element when addTimestamp is false and SignatureMethod Algorithm=sha256', function () {
+    var instance = new WSSecurityCert(key, cert, '', { hasTimeStamp: false,  signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" });
+    var xml = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');
+    xml.match(/<Reference URI="#/g).should.have.length(1);
+  });
+
+
   it('double post process should not add extra alments', function () {
     var instance = new WSSecurityCert(key, cert, '');
     var _ = instance.postProcess('<soap:Header></soap:Header><soap:Body><Body></Body><Timestamp></Timestamp></soap:Body>', 'soap');